An ordinary threat databases could face is an attempt to discover the password by systematically trying every possible combination (letters, numbers, symbols). This is known as a brute force attack.
In this fourth episode of the MySQL Security series, we will see how the MySQL DBA can leverage the Connection-Control Plugins to slow down brute force attacks.

The Connection-Control Plugins

The MySQL Server includes a plugin library that enables administrators to introduce an increasing delay in server response to clients after a certain number of consecutive failed connection attempts. This capability provides a deterrent that slows down brute force attacks that attempt to access MySQL user accounts.

Installation

In MySQL 5.7, the Connection-Control plugin is not installed by default :

Preliminary checks

MySQL

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

mysql>

SELECTversion();

+-----------+

|version()|

+-----------+

|5.7.21|

+-----------+

SELECTPLUGIN_NAME,PLUGIN_STATUS

FROMINFORMATION_SCHEMA.PLUGINS

WHEREPLUGIN_NAMELIKE'connection%';

Emptyset(0.00sec)

SHOWVARIABLESLIKE'plugin_dir';

+---------------+--------------------------+

|Variable_name|Value|

+---------------+--------------------------+

|plugin_dir|/usr/lib64/mysql/plugin/|

+---------------+--------------------------+

The plugin library contains two plugins :

CONNECTION_CONTROL checks incoming connections and adds a delay to server responses as necessary.

Alternatively you can modify the configuration file (my.cnf / my.ini) and then restart the server

Connection-Control Plugin Installation

Vim

1

2

[mysqld]

plugin-load-add=connection_control.so

If the plugins have been previously registered with INSTALL PLUGIN or are loaded with plugin-load-add, you can use the connection-control and connection-control-failed-login-attempts options at server startup to control plugin activation.

e.g. to load the plugins at startup and prevent them from being removed at runtime, use these options :

load the plugins at startup and prevent them from being removed at runtime

Vim

1

2

3

4

[mysqld]

plugin-load-add=connection_control.so

connection-control=FORCE_PLUS_PERMANENT

connection-control-failed-login-attempts=FORCE_PLUS_PERMANENT

Configuration

To enable you to configure its operation, the CONNECTION_CONTROL plugin exposes 3 system variables :

Starting at the 3rd attempts the delay between each connection increase (approximately +1s (= 1000 ms) between each new failed connection attempts).

Monitoring

To monitor failed connections, use these information sources:

The Connection_control_delay_generated status variable indicates the number of times the server added a delay to its response to a failed connection attempt. This does not count attempts that occur before reaching the threshold defined by the connection_control_failed_connections_threshold system variable.